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Image Steganography and Global Terrorism 


Kaustubh Choudhary 


Abstract — This paper informs the reader how an innocent looking digital image hides a deadly terrorist plan. It analyses the strengths of image stega- 
nography and the reasons why terrorists are relying on it. It also aims to generate interest among the scientific community about Image steganography 
so that experts from multiple disciplines may join hands for devising better steganalysis techniques against the global terrorism. In this paper a basic 
digital image is analyzed and based on this analysis an LSB based steganographic algorithm is designed. Using this algorithm a software is developed 
and its performance is compared with various other steganographic tools available on the internet. The result of this comparison explains us why stega- 
nography is so much preferred by terrorists. Various images and image related tables used in this paper are generated using MATLAB© Simulation Envi- 


ronment. 


Index Terms— CIA Compliance, Cyber Crime, Image Steganography, Information Security, LSB Insertion, Terrorism. 


1 INTRODUCTION 


| prcemtion Security rests on the three pillars of Confiden- 
tiality, Integrity and Availability of the communication chan- 
nel. The trio is jointly called CIA compliance of the informa- 
tion network. The confidentiality means concealment of the 
sensitive information or software from the person who is not 
supposed to know the same. Integrity means trustworthiness 
of the data. It can be insured only if the data is obtained from 
the dependable sources and is frequently updated time to 
time. Availability means ability to use the information or re- 
source as and when desired by the concerned user. To achieve 
this, most command and base level military communication 
use hack proof dedicated Wide Area Networks based on spe- 
cial Mil-Grade software protocol stack and a separate hard- 
ware at the physical layer itself. But even terrorist organiza- 
tions need CIA Compliant communication channel. But most 
of their agents operate deep inside the civilian population and 
cannot afford dedicated networks used by their government 
counterparts. In such a scenario only other communication 
channel available to them is the World Wide Web. In order to 
use Internet as a CIA Compliant network, these terror organi- 
zations are developing and using special kind of softwares 
which allows them to clandestinely communicate with full 
secrecy [1]. Fig.1 explains the general working of one such 
most frequently used software. 

It uses combination of steganography (Explained in next para) 
and cryptography. Both the communicating parties have the 
same software represented in the Fig.1 by Z. This software Z 
(mathematically it is crypto-stego function) is fed with the 
information D (ASCII Characters), a Cover-image C (any im- 
age file) and a alpha-numeric secure key K. At first step it en- 
crypts the information D using secure-key K using any partic- 
ular Encryption algorithm. In next step this encrypted data is 
hidden in the cover image C. This modified image containing 
the data D is called as Stego-image and represented in Fig 1 by 
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S. The stego-image is sent to the receiver either through E-mail 
or by uploading the same in any particular website. The re- 
ceiver feeds this Stego-image S in to the software Z (possessed 
by both the communicating parties) along with the secure-key 
K (known to both the users) and gets the required data D. 
Ample documentation and research articles are available on 
the internet regarding various encryption standards like AES, 
DES, 3DES and IDEA to mention few. So in this paper we are 
concentrating on the steganographic component of any such 


E-mail or Website 
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Fig 1 General Working of the Clandestinely Communicating Sofware 


software. Steganography is the art and science of writing hid- 
den messages in such a way that no one, apart from the sender 
and intended recipient suspects the existence of the message. 
It is based on invisible communication and this technique 
strives to hide the very presence of the message itself from the 
observer. It is two part word of Greek origin- stecho or cov- 
ered and graph or writing. The earliest known stegenography 
technique was developed in ancient Greece around 440 B.C. 
Herodotus’s Histories describes the earliest type of stegeno- 
graphy. It states that “The slave's head was shaved and then a 
Tattoo was inscribed on the scalp .When the slave's hair had grown 
back over the hidden tattoo, the slave was sent to the receiver. The 
recipient once again shaved the slave’s head and retrieved the mes- 
sage”. 

All steganographic techniques use Cover-Object and the Ste- 
go-Object. Cover-object refers to the object used as the carrier 
to embed the messages into it. In the above example the slave's 
head is the cover object. In modern context Images, file sys- 
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tems, audio, and video as well as HTML pages and even 
email-spams can be used as cover objects. Whereas stego- 
object is the one which is carrying the hidden message. Le. in 
the above example the ‘slaves head with fully grown hair and a 
hidden tattoo’ is acting as a stego-object. In the software men- 
tioned above the Digital Image with hidden data is the stego- 
object. 

Image steganalysis (finding out the information stored in the 
stego-image) is a challenging task. Analysis of the image re- 
quires complex mathematical and statistical operations to be 
performed on large three dimensional matrices and consumes 
very high computational power. Also we do not have any 
foolproof statistical and mathematical function capable of 
crisply differentiating the stego-image from bulk of innocent 
images flowing through the web every day. This identification 
of the steganographic signature in the stego-image is the most 
difficult part of any steganalysis algorithm. Somehow even if 
we identify the stego-image still the lack of knowledge of the 
stego-function (the algorithm which is converting cover-image 
into stego-image) makes the process of determining the hid- 
den data very difficult as we do not know in what form and in 
which part of the stego-image the data is hidden. This makes 
image and video steganography the most favorite tool among 
the terrorist networks. It is said that Al-Qaeda has been using 
it long before 9/11 suicide attacks (September 11, 2001) [2] [3] 
[4]. In the software mentioned in Fig. 1 the secret message is 
hidden using Digital Image as the cover object. Thus before 
proceeding to Image Steganography, the analysis of the Digital 
Image in detail is a prerequisite. 


2 DIGITAL IMAGE 


Every Digital Image consists of several smallest possible dis- 
crete picture elements known as Pixels. For better analysis of 
the digital image a very small 11 x 8 pixel 24 bit BMP Image [5] 
(image with 11 rows and 8 columns of pixels) has been created 
as shown in Fig 2.a. Since the image is too small for printing 
purposes so the same is enlarged by pixel spreading (Fig 2.a) 
and pixel enlargement (Fig 2.a). This image is analyzed using 
Matlab to produce detailed view of each pixel (shown as rec- 
tangular blocks) along with the row and column number of 
each pixel as given in Fig 2.b. 


Fig 2.a 24 bit 11x 8 Pixel BMP Image 
Each pixel is made up of combination of three primary colors- 
Red, Green and Blue. It is the combination of the varying in- 
tensity levels of these three primary colors which produces all 
other colors in the digital image. In Fig. 3 the same 11 x 8 pixel 
image is shown as combination of three primary colors. If P(i,j) 


represents Pixel located at position (i,j) in the image. Then any 
image of dimensions m x n can be represented as matrix of 
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Fig 2.b Image analyzed using Matlab 
pixels P(i,j) with i varying from 1 to m and j varying from 1 to 
n. Further each pixel P(i,j) is the combination of intensity le- 
vels of the Red, Green and Blue at the location (ij) in the im- 
age. Also memory required for storing every pixel P(ij) is the 
sum of memory required to store the intensity levels of Red, 
Green and Blue at the location (i,j). Mathematically every pixel 
P(i,j) = {RGj) ,GGj) „BGj)} where Rij), Gj), Bij) represents 
the intensity levels of Red, Green and Blue colors at the loca- 
tion (ij). In a 24 bit BMP image every pixel consumes 24 bits 
for storing the 8 bit color intensity levels of Red, Green and 
Blue. Hence, all color variations are derived from the combina- 
tion of these three colors and their varying intensity levels 
represented by 8 bits (where (00000000): corresponds to inten- 
sity of decimal 0 and (11111111)2 = 2%214+22+23+24+254+26+27 cor- 
responds to intensity level of decimal 255). 


Fig 3 Image as Combination of Varying Intensity Levels of Three 
Primary Colors 

Thus any pixel can be combination of 256 different shades 
(ranging from intensity level of 0 to intensity level of 255) of 
red, green and blue resulting in 256 x 256 x 256 or more than 
16-million colors. Whole range of shades of Red, Green and 
Blue varying from intensity level 255 to intensity level of 4 are 
shown in Fig 4. Intensity level of 0 in all three colors appears 
Black. Digital images are stored in a three-dimensional matrix 
format with row and column number corresponding to pixel 
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Intensity Levels 


Fig4 Range of Shades of Red, Green and Blue 
position. There are 3 unsigned 8 bit values (these values are in 
Binary format but for ease of representation they are shown in 
equivalent Decimal) at each pixel position (row-column). In 
Table 1.a, Table 1.b and Table 1.c the same 11 x 8 pixel 24 bit 
BMP Image is shown as 3 two-dimensional matrices corres- 


SOCAN DWT FP WN me 


Table 1.a Matrix R showing Red value of each Pixel Position 
(Red Layer of the Image) 


SCAND TT FP WON me 


Table 1.b Matrix G showing Green value of each Pixel Position 
(Green Layer of the Image) 


1 2 3 4 5 6 7 
1 255 0 0 0 255 255 255 
2 255 255 O 255 255 255 255 
3 255 0 64 0 255 255 255 
4 255 255 64 255 255 255 255 
5 25 0 0 0 255 255 255 
6 128 0 0 O 128 128 128 
7 255 0 0 0 255 255 255 
8 255 0 0 0 255 255 255 
9 255 0 0 0 255 255 255 

10 255 0 255 O 255 255 0 
11 0 0 255 0 0 255 192 


Table 1.c Matrix B showing Blue value of each Pixel Position 
(Blue Layer of the Image) 


ponding to Red, Green and Blue intensity levels respectively. 
For instance element present in the first row and first column 
of this image matrix (E(1,1)) contains 255,255,255 as its RGB 
values. So any element located at i row and j* column of the 
image matrix will be now onwards represented by E(i,j) in this 
entire paper. Further every element E(i,j) contains 3 more ele- 
ments R(ij), G (i,j) and B(ij) jointly known as RGB value of 
any arbitrary pixel (ij). 


3 IMAGE STEGANOGRAPHY 

We have just explored that in a 24 bit BMP image every pixel 
occupies 24 bits or 3 Bytes. Out of these 24 bits each of the 
three primary colors occupies 8 bits. These 8 bits carry the re- 
spective color intensity levels at any given pixel. Hence 
amount of color information carried by two least significant 
bits (LSB) is 4 color levels ((00000000), (00000001), (00000010) 
and (00000011) corresponding to intensity levels of 0, 1, 2 and 
3 respectively) out of 256 possible color levels. Thus if the last 
two bits are changed the pixel will have minimal degradation 
of 4/256 or 1.5625%.This minor degradation is psycho-visually 
imperceptible. Marginal alteration of color intensity (from in- 
tensity level of 255 to 250) is shown in the Fig 5 which proves 
that such minor changes are totally imperceptible to human 
eye due to limitations in Human Visual System (HVS) [6]. 

But at the cost of this negligible degradation we get 6 bits (2 
bits each from red, green and blue) out of every pixel for 
transmitting our secret data. Although a general ASCII stan- 
dard requires 7 bits for storing a character. But even with 6 bits 
we can produce (000000 = 0 to 111111=63) 64 symbols. In Eng- 
lish language we have only 26 alphabets. So even after map- 
ping every 6 bit code to a particular English alphabet (small 
letters) we are still left with 38 more 6 bit binary symbols. 36 
out of them can be used for representing normal day to day 
common symbols like !@$%*&*(){}?,+= - “ SPACE etc. While 2 
of them (111110 and 111111) are reserved for two special pur- 
poses and here onwards will be referred as special symbols. 
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The encoding algorithm (algorithm for embedding data in 
cover-image) will operate over the image, pixel by pixel and 
embeds character in one pixel at a time. Once all the characters 
are embedded in the image the special symbol 111111 is in- 
serted in the immediate next pixel (i.e. the pixel immediately 
next to the one containing the last input character. This helps 
the decoding algorithm (algorithm for extracting data from 
stego-image) by informing it to stop reading the image from 
next pixel onwards as no more data is embedded in further 
pixels. We call such a character Terminator Character ‘Tr’ and 
represent it by 111111. Also due to limitations imposed by 6 
bits we were unable to make provisions for capital letters. So 
we use a special character which when follows any normal 
character implies that it was in Capitals. We call it Capitals cha- 
racter ‘Cl’ and represent it by 111110. 


Character Binary 
Symbol 
d 000100 
e 000101 
h 001000 
1 001001 
o 001111 
r 010010 
w 010111 
í 111100 
SPACE 000000 
`Tr’ (Termination) | 111111 


Table2 Characters and their Codes 

We are using our same old 11 x 8 BMP image for storing string 
“hello world”. The code used for representing these 9 characters 
(d, e, h, l,o, r, w, “, SPACE) is shown in Table 2. In Fig 6 the 
stego-image generated after embedding the string is shown as 
combination of 3 primary colors. This stego-image is shown as 
3 two-dimensional matrices in Table 3.a, Table 3.b and Table 
3.c correspond ing to red, green and blue layers respectively. 


r 4 4 4 4 n 


253 252 


Intensity Levels 
Fig 5 Marginal alteration of Intensity Levels 
Now if we compare Table 1 with Table 3 then we see that only 
first two rows have changed. For instance RGB values of ele- 
ment E(1,1) is modified from 255, 255, 255 (Table 1) into 
255,255,252 (Table 3). This is because binary code of first 


Fig6 Stego-Image (string “hello world” embedded) as combi- 
nation of Three Primary Colors 
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Table 3.a Matrix R’ showing Red value of each Pixel 
Position in the Stego-Image containing “hello world” 
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Table 3.b Matrix G’showing Green value of each Pixel 
Position in the Stego-Image containing “hello world” 
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Table 3.c Matrix B’ showing Blue value of each Pixel 
Position in the Stego-Image containing “hello world” 
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character “ of the string “hello world” is 111100 (Table 2). So 
values 11, 11, 00 are inserted as the last two LSB of R(1,1), 
G(1,1) and B(1,1) respectively.Since R(1,1) and G(1,1) already 
contained 255 or (11111111)2 so no change has occurred in 
them. As G(1,1) also contained 255 but the value to be inserted 
in its LSB was 00 so the new value stored by G(1,1) is 252 or 
(11111100)2. Similarly RGB value of E(1,2) is changed from 
0,0,0 to 0,2,0 for embedding character `h’ given by code 001000. 
Similarly all other characters of the string are embedded. Only 
first two rows have changed because only 14 characters are 
inserted: 13 (length of “hello world”) + 1 (Terminator Charac- 
ter). Each row contains 8 elements so only two rows are con- 
sumed for embedding data. At 14" pixel (in row major order) 
represented by element E(2,6) the terminator character (given 
by code 111111) is embedded after which character insertion 
stops from next row onwards . 


4 ALGORITHM FOR STEGANOGRAPHY 


Any pixel P(i,j) consists of 3 eight bit RGB values R(i,j), G(ij) 
and B(i,j). For insertion of data we are modifying only the last 
two LSBs of this eight bit number. Let this eight bit number be 
represented by K in decimal format and kskzkekskskskeki in 
binary format. Hence (K)pecmar or simply K = 
(kskrkekskaksakok:)2 is one of the RGB values for any arbitrary 
pixel P(ij). Mathematically ki = K modulo 2 and 
ko = (K/2) modulo 2. For embedding the character the two 
LSBs ke and kı are replaced by 2 other bits c2 and cı respective- 
ly as per the character’s code (Table 2). 

This algorithm is based on a simple principle of number 
theory. When any natural number is added or subtracted by 1 
then the least significant bit of its binary equivalent gets 
flipped. Also when a natural number is added or subtracted 
by 2 then the second least significant bit of its binary equiva- 
lent gets flipped. We can extract ki and ke from K by perform- 
ing modulo operation on K. Once we know ki and K: then 
they can be compared with ci and c and accordingly action 
may be taken. If they are same no action is required. Else for 
flipping kz we need to subtract 2 from K and for flipping ki we 
have to subtract 1 from K. 

Although subtraction will serve our purpose but this will shift 
the RGB intensity of the pixels in only one direction (negative 
side). Which means the new RGB value for the pixel P(i,j) = 
{R(j),G(@j),Bij)} after embedding the data can be one of these 
R(ij), R@j)-1, R@j)-2, RGj)-3 (Possible R values); G(ij), G(i,j)-1, 
G(ij)-2 , G(i,j)-3 (Possible G values) and B(i,j), B(i,j)-1, B(i,j)-2 , 
B(ij)-3 (Possible B values). This negative shift of R, G and B 
levels may make the stego-image relatively easier to be identi- 
fied by the steganalyst. So for harboring the benefit of obscuri- 
ty by randomization we should simultaneously use addition 
also. The combination of addition and subtraction will more 
randomize the image and make it more difficult to stegana- 


lyse. By using combination of addition and subtraction the 
possible RGB values for Pixel P(ij) are R(@j)-1, R(ij)-2, R@j)-3, 
R(ij), RGj)+1, RGj)+2, R(ij)+3 (Possible R values); G(i,j)-1, 
G(ij)-2, Gj)-3, Gj), GG j)+1, G(i,j)+2, G(i,j)+3 (Possible G val- 
ues) and B(ij)-1, B(ij)-2, B(ij)-3, Bj), B@j)+1, BG j)+2, BY j)+3 
(Possible B values). 
Also the addition in the intensity level of one color and simul- 
taneous subtraction of the intensity level of another color at 
the same pixel will conserve the brightness of the pixel. This is 
because the gray scale intensity of the colored image is ob- 
tained by weighted average of its R, G and B values. As we 
know that for gray scale conversion the weight of G is highest 
among R, G, B so we will get the best results if we use subtrac- 
tion in R and B and addition in G. 
But imprudent use of addition or subtraction for LSB replace- 
ment may cause error in certain bright or dark pixels by either 
raising the color intensity levels above 255 or reducing it be- 
low 0 respectively. To overcome such limitations an algorithm 
is developed which performs addition by 1 when kı is 0 and 
addition by 2 when kz is 0. On the other hand it subtracts by 1 
when ki is 1 and subtracts by 2 when kz is 1. The pseudo-code 
of this algorithm for LSB replacement is given in the boxes 
below (Box 1 and Box 2). It is based on two IF-ELSE control 
structures. Box 1 explains how cz replaces k2and Box 2 explains 
how cı replaces kı. 
IF (k, = = 1) 
IF (c, == 0) 
K= K-2; 
ENDIF 


IF (kı = =1) 
IF (cy == 0) 
K=K-1; 
ENDIF 
ELSE ELSE 
IF (a ==1) 
K=K+1; 
ENDIF 
ENDIF 


IF (c)==1) 
K = K+2; 
ENDIF 
ENDIF 


Box1 LSB Replacement of cz Box2 LSB Replacement of c, 


5 PERFORMANCE EVALUATION 


Based on above algorithm, software was developed in MAT- 
LABO. It was compared with three other free steganography 
softwares available on the Internet (Our Secret, Eureka Stega- 
nographer and Quick Stego). Then all four of them were ex- 
amined using StegSpy 2.1 (the only steganalytic tool easily and 
feely available on the net downloaded from location 
http://www.spy-hunter.com/stegspydownload.htm).It claimed 
to identify signatures of well acclaimed stego-tools like Hi- 
derman, JPHideandSeek, Masker, JPegX and Invisible Secrets. 
But it was unable to identify any data in the stego-images gen- 
erated by all the four test software. On the contrary it found a 
hiderman’s signature in one of the cover image itself (a world 
map obtained from internet). The preliminary comparison 
results are summarized in Table 4. This table also contains 
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he ee eee Algorithm Our Secret Eureka Steganograper QuickStego by Quick 
pay (Section 4 ) (Stegan2) Crypto 
Image Type BMP 24 bit All file types(even doc, All common image types BMP , JPEG , JPG and 
text & media files) ex- except .TIFF GIF 
cept .TIFF 
Interface CUI GUI GUI GUI 
Minimum Image Size 2 Pixel Image 1 Pixel Image or 58 59 Pixels or 230 Bytes 75 Pixels or 282 Bytes 
required for storing a or 62 Bytes Bytes. 
single character (For 
BMP Image) 
Number lower | Upper | Case of the character Case of the character Case of the character 
of cha- case case makes no difference makes no difference makes no difference 
racter char char 
stored in 
24 Bit 100 Pixels 99 49 Infinite characters 25 characters 9 characters 
BMP 
image of | 1000 Pixels 999 499 Infinite characters 607 characters 331 characters 
10000 Pixel 9999 4999 Infinite characters 6411 characters 3516 characters 
Insertion Algorithm 2 bit LSB inser- | Uses file systems. 1 Bit LSB Insertion 
tion (SDT) (SDT) 
Other then characters it x 
Other Features can embed all types of Supports data encryption. 
files also. 
Supports data encryption. 
Comments It can store large file or If information compared to | Crashes after few runs. 
thousands of characters image is very long (Eg: In 
in 1 pixel by increasing 100 pixel image if more 
the memory size of the than 19 characters inserted) 
pixel. then the stego-image gen- 
erated is of unrecognized 
Crashes after few runs. format and is not readable. 
Steganalysis by StegSpy Could not detect | Could not detect Could not detect Could not detect 
2.1 
Web Source Not Uploaded http://www.securekit.net/ | http://www.brothersoft.co http://quickcrypto.com/f 
Yet oursecret.htm m/eureka-steganographer- | ree-steganography- 
v2-266233.html software.html 
Table 4 Comparative Study of Different Stego Tools 


the web source from where these softwares were downloaded. 
Among all the four softwares the Eureka steganographer be- 
haved in most weird manner. As mentioned in Table 4 using it 
we can embed 25 characters in a 100 pixel image but whenever 
more than 19 characters were inserted it produced an unre- 
cognized file format (from which we can retrieve data). But 
this number (19 characters) was not fixed and varied with 
every trial. In certain trials it produced an unrecognizable ste- 


go-file even when 1 character was inserted in the same 100 
pixel image. 

5.1. Susceptibility to Steganalysis 

As mentioned in the Introduction the Steganalysis is a difficult 
task but still we cannot completely rule out its probability. 
Probabilistically every stego-image is susceptible to such an 
attack. To minimize this probability we have to keep differ- 
ences between the cover-image and stego-image very smooth 
and as small as possible. 
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For determining the susceptibility to steganalysis these four 
stego-tools were evaluated by three different techniques. In all 
these three test runs the difference between the cover-image 
and stego-image was calculated using various statistical pa- 
rameters. In first two modes our same old 11 x 8 pixel BMP 
image was used for embedding the data. In first case only 4 
characters (abcd) were inserted in it whereas in the second case 
the stego-softwares were evaluated at full capacity. I.e. maxi- 
mum possible characters which these tools allowed to insert in 
this 11 x 8 pixel image. In third case a large image (300 x 300 
pixel BMP image) was used for embedding 600 characters 
(abc...z1234 in repetition 20 times). 


5.1.1 Parameters for Measurement of Susceptibility to 
Steganalysis 

The various parameters used for calculating the difference 
between the cover-image and stego-image are Mean Differ- 
ence (MD), Mean Absolute Difference (MAD), Standard Devi- 
ation of the Difference (STD) and Range of Difference 
(Z = Zupper - Ziower), number of pixels changed (P) and change in 
the size of the image (in terms of memory occupied) K. These 
parameters are explained below. 

Let cover-image be represented by C and stego-image be 
represented by S. Then cover image C and stego-image 5 con- 
sists of three RGB components Cr, Cc, Cs and Sr, Sc, Ss respec- 
tively. Thus the difference image D = C — S also consists of 
three RGB components Dr = Cr — Sr; De = Ca — Sc and Ds = Cs — 
Ss. Similarly all these statistical parameters have three compo- 
nents corresponding to R, G and B. 

Three components of Mean Difference MD given as MDr, 
MDs and MDs are arithmetic means of Dr, Dc and Ds respec- 
tively. But this parameter does not gives us the exact idea of 
the difference between the two images as the negative and 
positive values in the matrix Dr,Dc and Ds cancel each other. 
To overcome this drawback another parameter Mean Absolute 


MAD 
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Difference (MAD) is introduced. For three color components it 
is represented as MADr, MADc and MADs and corresponds to 
arithmetic mean of the absolute values of quantities in Dr, Dc 
and Ds respectively. But in order to determine the degree of 
abrupt variations in RGB components of cover-image C and 
stego-image S the Standard Deviation (STD) of the difference 
matrices Dr, Dc and Ds is computed and represented as STD, 
STDc and STDs. The STD is measure of sudden sharp changes 
between C and S (Spikes or Grains in difference image 
D=C-S). 

In addition we have used other parameters like Range of dif- 
ference in D given by Zr, Zc and Zs where Zr = ZR upper- ZR tower. 
ZR upper is maximum value in Dr and Zr tower is minimum value in 
Dr. Similarly we can compute Zc and Zs. We have incorpo- 
rated one more parameter to measure the spread of the differ- 
ence and it is given by no of pixels changed in R, G and B 
components of the image and given as Pr, Pc and Ps. Parameter 
K is used for determining the difference between the memory 
size of C and S. 


5.1.2 Results of three Trials 

These parameters as outcomes of the three trials are illustrated 
in Table 5.a, Table 5.b and Table 5.c. From these tables it can be 
very clearly deduced that for N character input the algorithm 
developped in Section 4 modifies N+1 pixels, Eureka stegano- 
grapher tentatively modifies 0.3353N + 1.8096 pixels whereas 
Quick Stego modifies 1.534N + 39.5963 pixels. Further it’s 
worth mentioning that Oursecret’s algorithm does not modify 
any pixel but it increases the size (in terms of memory) of cov- 
er-image file. Thus we can see that Eureka concentrates the 
entire information in few pixels where as Quick Stego and 
algorithm (Section 4) evenly distributes the information in 
larger number of pixels. This explains why Eureka stegano- 
grapher has highest Standard Deviation STD and Range Z. As 
a result of this high STD and Z, the stego-images generated by 
Eureka has grains and spikes as shown in Figure 7. 


5 Pixels 


Blue [00682 [o [oms |3 [3 [6e | Pixels | 
[Rea |o Jo fo Jo Pixels | 
[Green |0 [0 fo fo fo Pixels _|212Bytes 


e Pixels 


Bme | 520 |50 [sa o | 193 | 193 | 3 Pixels 


QuickStego by 
Quick Crypto 


Rea | 030 [osm oee 1} Pas Peo 


| Blue | -0.0795 | 0.3523 | 0.5915 


Table 5.a 4 Characters Inserted in 11 x 8 Pixel Image 
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| Software | MD | MAD STD | Ziower_ | Zapper |Z | P S| KK 


Algorithm 
(Section 4 ) 

(87 Characters) 
Our Secret 

(300 Characters) 


Eureka some 
grapher (Stegan 2) 
(18 Characters) 


| Red [0.9886 _| 1.6023 | 1.7053 | 33 
| Green [0.1818 [1.5227  |1.8417  |-3 |3 [6 88 Pixels | 
me e p a e a e 


a L a E 


[6 | 88 Pixels | 


0 Pixels 


O Pixels aoc Eyes 


[o OC Pixels | 


| Blue | 4.3409 | 8.9091 | 37.3867 |-110 |246 [|356 |7Pixels_ | 
QuickStego by | Red | 0.3182 | 0.5455 | 0.6703 -1 |1 [2  |48Pixes | 


Quick Crypto 
(5 characters) 


| Bue | -0.0909 | 0.3636 | 0.5995 |- [1 2 32 Pixels | 


Table 5.b Full Capacity Evaluation of Softwares Using 11 x 8 Pixel Image 


| Software | MD | MAD [STD | Ziower_| Zapper |Z | P | K 


[Rea [0.0112 [0.0139 [01737 |2 J3 | 
| Green [0.0057 _ [0.0132 [0.1664  |-3 [3 J6 601 Pixels_| 
| Blue [0.0032 [0.0131  |0.1677  |-3 [3 f6  [601Pixeis | 


Algorithm 
(Section 4 ) 


Our Secret 


Eureka 
grapher (Stegan 2) 


[o Jo [O0  [OPixes | 


[Re fo Jo Jo 
[Gren [o0 Jo Jo Jo fo Pixels |252 
[Bue fo _ jo fo _ Jo | 


[0 [O  [OPixeis_ | Bytes 


Stegano- | Red | -0.1508 | 0.1994 | 5.2088 | -240 |198 |438 |201 Pixels _| 


-0.0972 0.1880 4.8514 203 Pixels 


| Blue | -0.2655_ [0.2818 [71111  |-253 |149 [402  [202Pixels | 
QuickStego by | Red | 0.0038 | 0.0103  |01012  f-1 [1 f2  [923Pixels | 


Quick Crypto 


-0.0020 | 0.0103 


| Blue | -0.0043 | 0.0074 | 0.0860  |-1 [1 [2  [668Pixeis | 


Table 5.c 600 Characters Inserted in 300 x 300 Pixel Image 


Fig 7 Grains in the Stego-Image and Difference-Image using 
Eureka Steganographer 
For all other three softwares (Algorithm mentioned in Section 


4, Quick Stego and Our Secrets) the difference between Cover 
Image and Stego Image is so low that it is visually impercepti- 
ble to find any change. So the difference between the two can 
only be established using the statistical parameters mentioned 
in section 5.1.1 Further the range Z of Quick Stego is always 
fixed between -1 and 1. This implies that it uses 1 bit LSB in- 
sertion. Since the algorithm mentioned in section 4 uses last 2 
bit LSB insertion so the overall range lies is between -3 and 3. 
Further we had calculated (Section 3) that the maximum de- 
gradation which may occur in the image after 2 bit LSB inser- 
tion in every pixel will be 1.5625%. But the real error was 
much lower. The average of the Mean Absolute Diffrences 
(MAD) for the algorithm mentioned in section 4 in all the 
three tables i.e. Table 5.a, Table 5.b and Table 5.c came out to 
be 0.565244 intensity levels out of 256 possible intensity levels. 
In percentage terms this difference was just 0.22701% which is 
much lower than 1.5625%. Similarly for Eureka Steganograph- 
er average MAD was found out to be 4.901389 intensity levels 
or 1.9146% difference whereas for Quick Stego it was just 
0.30994 Intensity Levels or 0.12854% diffrence. 
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Thus we see that Quick Stego has less data embedding capaci- 
ty and it is least susceptible to general steganlytic attack 
among all four. Our Secret does not modify the image because 
it changes the memory allocation in the file system but it is 
susceptible to steganalytic attack as the file size increases. Al- 
gorithm mentioned in section 4 has large information carrying 
capacity but it is more susceptible to attacks then Quick Stego. 
Eureka is always an easy prey for most steganalysts. 


5.2 Steganlysis 


Before we begin with steganalysis we should know various 
communication channels and techniques through which these 
stego-images are being used by terrorist organizations and 
secondly the reasons why they are relying on it so much. 


5.2.1 Channels and Techniques used by Terrorist organi- 
zations 

As mentioned in the introduction, for any communication 
channel meeting CIA Compliance is must. To achieve it terror- 
ists are using stego-images for one to one communication via 
e-mails. On the other hand these stego-images are used as 
Electronic Dead Drops [7][8][9][10]. Dead drop is a Cold War- 
era slang connoting a place (like a common letter box or a 
common book in a public library) where spies left information. 
It helped the two communicating parties to avoid direct meet- 
ing or knowing each other. Thus it provided advantages of 
anonymity. On similar lines the terrorists upload stego-images 
in a public forum (eg Online Auction site E-Bay) and thus keep 
communicating without knowing each other. [7][11][12][13]. 
There does not exist any coordination, meetings, E-mail or 
instant messaging between them. All that exists is a picture 
posted to a public forum, and then downloaded by anyone 
sufficiently enticed by the subject line of the image (even third 
parties can download the image). But images posted in the 
forums not only serve as electronic dead drops but can also be 
used for broadcasting the secret message globally to all the 
agents operating in different geographical regions. Thus it 
facilitates completely anonymous and asynchronous commu- 
nication. Also these stego-images are used by terrorists for 
safely carrying and storing secret information hidden in nor- 
mal appearing videos and Images in their personal computers 
and memory cards[1][2]. 

5.2.1 Advantages offered by Steganography 


A legitimate company never needs to use dead drops. But the 
terrorists need it. Thus the very aspect of secrecy makes it a 
potent tool in terrorists’ hand. The main reason for using ste- 
ganography is the cost of inserting the data in the image is far 
lower than the cost of detecting even the presence of data in 
the same-stego image. In some cases it may even be impossible 
to detect any presence of data. For instance, a one bit, “yes” or 
“no” message embedded in a big image file would be nearly 


impossible to find [14]. Moreover these image files could be 
easily converted into video files and collages and can make 
detection even more difficult. 

The smaller the size of information, the harder it is to find. 
This can be numerically established by comparing MAD and 
STD fields of Table 5.a with Table 5.b. The average Standard 
Deviation of the Difference (STD) for all three softwares (our 
secret is not considered because it has different insertion me- 
chanism) is 9.48332 intensity levels when only 4 characters are 
embedded (Table 5.a) whereas it is 13.85123 intensity levels 
when all the three softwares were evaluated at full capacity 
(inserting 36.67 characters on an average) (Table 5.b). For the 
same two sets of observation the average Mean Absolute Dif- 
ference (MAD) is 1.795467 intensity levels and 3.896478 Inten- 
sity Levels respectively. 

Further the lack of knowledge of insertion algorithm makes 
detection even difficult. Even after detection the extraction of 
data is another herculean task. For instance algorithm men- 
tioned in section 4 inserts a character at every pixel by using 6 
bits in each pixel. But use of 6 bits for representing a character 
is not a standard ASCII method for denoting a character. Fur- 
ther this algorithm reads the pixel continuously in row major 
order. Some other algorithm may do it by combining Row Ma- 
jor, Column Major and even diagonal order and may read pix- 
els in any other pattern. 

Most alarming is the fact that this algorithm (section 4) is 
based on one of the simplest image steganographic techniques 
(Spatial Domain Steganography based on changing the pixels 
through LSB Insertion) and still it can have so many variants. 
But the real steganographic algorithm used by terrorists is 
much more complex and will be using combination of mul- 
tiple steganographic techniques like Transformation Domain 
Steganography[15] (Discrete Cosine Transforms as used in 
JPEG Images, Discrete Wavelet Transform or even Fast Fourier 
Transform for embedding information in the transform do- 
main of the image signal), Spread Spectrum Steganography 
[16] (evenly spreading the information over entire image i.e. 
reducing the Steganographic Signal to Noise Ratio to mini- 
mum possible levels) or may use a different color space itself 
(Example RGB may be converted to YCbCr) and various other 
techniques [17]. 

Another difficulty in image steganography is analysis of the 
image. This requires various mathematical and statistical op- 
erations to be performed on large three dimensional image 
matrices. This consumes very high computation power and is 
almost impossible to be performed for every image in the cy- 
ber space. 


5.2.2 Steganalysis 


Identifying a stego-image using visual clues is almost imposs- 
ible. Among all the four test softwares only the Eureka soft- 
ware produced visually perceptible grains. That too we could 
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locate only after subtracting the stego-image from cover- 
image. Also in section 5 we saw that steganlysis software Steg- 
spy 2.1 was unable to detect any presence of information in 
any of the trials. This was because it was designed for detect- 
ing particular steganographic signatures which was consider- 
ably different from the one used in any of the four softwares. 
Unfortunately we have plethora of steganographic softwares 
[18] and algorithms [17] and thus detection becomes even 
more difficult. 

Most steganalysis algorithms can be broadly classified in to 
three types. Passive Steganalysis (only detection of stegano- 
graphic signatures), Active Steganalysis (detection followed by 
extraction of data from the stego-image) and Active Warden 
(detection followed by destruction of the hidden information 
or embedding counter-information) [19]. 

As mentioned in section 5.2.1 these stego-images are either 
being uploaded in the Public forums or they are being used 
for one to one communication through e-mails and by carry- 
ing them personally. If public forums are used then web craw- 
lers [20] can be used for associating every image on the Inter- 
net with its vital statistical and mathematical parameters. So if 
any of those parameters change then the crawler will alert the 
steganalyst. But the terrorists are equally smart. For every part 
of the secret message they must be using a different and every 
time a new image. So these crawlers have to be combined with 
image processing, statistical and mathematical tools for active- 
ly steganalysing every image on the net [13][21]. For the im- 
ages used in one to one communication either through emails 
or obtained from any other suspicious source reliance can only 
be on active steganalysis based on probabilistic, statistical and 
mathematical models. 

For analysis of such suspicious images we can use various 
methods like Brute Force Attacks, Pattern Matching, Stir Mark 
Attack [7], Statistical Attack [21], Transform Domain Attacks 
and many more. Brute force method uses pixel by pixel analy- 
sis of the image and hence consumes very high computational 
power and time. But still it is highly unreliable. On the con- 
trary use of statistical method like Kurtosis Analysis, His- 
togram Analysis and Neighbourhood Analysis of the pixels 
though marginally speeds up the steganalysis process but 
leads to frequent False Alarms and hence reliability is still 
not achieved.Further the probabilistic methods rely on the 
fact that Image Matrices and Hidden Information are not 
purely random numbers (in any natural image the pixels do 
not change abruptly and colour of any pixel is dependent on 
the colour of the neighboring pixels thus they are auto- 
correlated moreover the data inserted is never random and 
modifies the image in a fixed pattern) and hence pattern 
matching algorithms can detect the presence of data in the 
image [22]. Further one of the best and most successful attack 
technique Stir Mark Attack [7] uses a series of mathematical 
transformation (assuming the data and image is not random) 


and thus amplifies the defects in the image. In the case of in- 
nocent image though it suffers degradations but still its edges 
are visually perceptible. Whereas the stego-image (which al- 
ready had initial distortions) gets completely degraded to 
noise and becomes unidentifiable. 

Also some steganalysis techniques use parameters like 
changes in size, file format, last modified timestamp and 
changes in the color palette of the image. Since every digital 
image has a unique digital file signature (Hex Signature and 
ASCII Signature) and any modification in the image will 
change these signatures. StegySpy 2.1(software used for stega- 
nalysis in section 5) relies on this method [23] but we have 
seen that it failed to identify any stego-signatures in all the 
four test softwares used. 

In order to understand the difficulties associated with these 
steganalytic techniques, one such technique based on Row 
Gradient Profile of the image (Fig 8) is discussed in brief. It is a 
combination of pattern matching and statistical process and is 
a type of Neighborhood Analysis of the pixel. 

It analyzes the inter row difference of the intensity levels of 
the pixel in the image also known as Row Gradient Profile or 
Simply RG Profile of the image. The image used here is of 
60 x 130 pixels and 1080 characters are stored in it using algo- 
rithm developed in Section 4. Since each character is stored in 
1 pixel so first 18 rows of the image contain data. This inter- 
row difference or Row Gradient of the image is plotted. 

As we can see that parameters of Cover-Image (Upper Graph) 
and Stego Image (Lower Graph) are clearly very different on 
the left of the black line (till 18 Row of Image) and exactly 
identical on the right of the black line. But in real life scenario 
we will have only Stego Image from which we can obtain only 
lower graph. By using this lower graph only, it will be very 
difficult to conclusively say that image is a malicious stego 
image. 


6 CONCLUSION 

This paper provides a macro view of Steganography and Ste- 
ganalysis and analyses the methods and reasons the terrorists 
are relying on it. Even a simple steganographic algorithm can 
hide data so efficiently that steganalysis become very difficult 
on various accords of time, computation power and money. 
But the real world terrorism uses more complex and innu- 
merable steganographic algorithms. Till date we do not 
have any foolproof method of steganalysis. Considering the 
volume and size of information transferred over the web 
and the cost and time for steganalysis, it becomes virtually 
impossible to keep track of every file. Moreover most of the 
countries which are either centers of terrorism or its victims 
are second and third world countries (Fig 9) and do not 
have any dedicated and efficient system for policing such 
mammoth volumes of data flow. Interestingly some of 
these countries (mainly located in South East Asia and 
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Fig 8 Row Gradient Profile of 60 x 130 Image with 1080 Characters (First 18 Rows) stored using Algorithm developed in Section 4 


Middle East) have immense technical potential and vast 
Information Technology base but still most of them do not 
have any dedicated cyber security agency. Although Police 
Forces in most of the developing nations have started cyber 
cells for handling various cyber crimes and most of the 
strategic departments in emerging countries have estab- 
lished base, command and ministry level Information 
Technology Offices but their sole purpose is maintenance of 
information security in their own respective departments. 
None of them is dedicated for monitoring the internet traf- 
fic.This inherent weakness gives the Terrorist Leader the 
luxury to safely hide in countries where cyber-security is 
lackadaisical and inadequate.From such countries he keeps 
uploading malevolent images containing terrorist informa- 
tion and his Agents worldwide visit those concerned web- 
sites and keep getting his orders by just one click on the 


Fig 9 Centers of Terrorism (as of 2009 from Wikipedia) 


image. On the one hand this technique hides the location of 
his agents and on the other hand it also provides the ad- 
vantages of dead-dropping, anonymity and secure broad- 
casting worldwide. In this regard it is noteworthy to 
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mention that soon after establishment of US Cyber Com- 
mand (USCYBERCOM) the countries like China, Britain, 
North Korea and South Korea have already begun prepar- 
ing their cyber force against international cyber space (in- 
cluding the ones of the terrorists as well as those of their 
enemies). But the situation is relatively grim in most other 
countries in general and developing countries in particular 
not just because of lack of technical knowhow, man power 
or money but also due to poor foresight. Hence the need of 
the hour is to take enduring and vigorous measures against 
Cyber Terrorism and at the same time experts from mul- 
tiple disciplines and countries must join hands to fight this 
menace to make world a safer place. 
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